Information Security News mailing list archives
Hacking away at Government
From: William Knowles <wk () C4I ORG>
Date: Fri, 2 Jun 2000 10:33:28 -0500
http://web.lexis-nexis.com/more/cahners-chicago/11407/5907060/2 Governing Magazine June, 2000 FEATURE; Page 76 "Fresno Means Business" is the first thing you see when you visit the California city's Web page, and to emphasize the point, there is a collage of pictures showing the downtown skyline and business people working. The message, the collage says in so many words, is "Development and Economic Vitality." So you can imagine city officials' displeasure one day last November when the skyline and business people were suddenly gone, replaced with a different message: "Hacked by globher." It wasn't the first time Fresno's site had been hacked. Three weeks earlier, another intruder had taken down the site and replaced it with boastful gibberish and profanity. Fortunately, during both incidents, no major damage was done, and each time the city's Web team had the site cleaned up in less than an hour. "We thought we were covered, but they knew the tricks to get into the server," says Allen Smith, Fresno's webmaster. "If we had kept up with Microsoft's security alerts, we would have been OK." If officials in Fresno are a bit embarrassed by these incidents, they have plenty of company. According to records on Web site defacements kept by attrition.org, a hacking watchdog, more than five dozen state and local governments or agencies were attacked in the six months between November and April. The day after the second hit on Fresno, for example, a hacker who goes by the name "YTCracker" attacked one of the less likely targets in the state of New York: the Department of Agriculture and Markets. Again, no serious harm was done, although it also must have left some in the department blushing. Among other things, the hacker scrawled the quote "YTCracker is cool" under a picture of Governor George Pataki. "The whole episode really woke us up to the possibility that even we can get hacked," says Peter Gregg, a department spokesman. "We figured, who'd want to hack us?" By now, most state and local governments have staked out a presence on the Internet, but in the race to get online, network security has been something of an afterthought. What they're starting to find--some of them the hard way--is that anyone on the Internet, even the most obscure government agency, is a target for computer hackers. "It's really a matter of when, not if, you'll be attacked," says Mark Zajicek a computer security expert with the CERT Coordination Center at Carnegie Mellon University. "Once you connect to the Internet, the rest of the Internet is connected to you." Fresno, like most places that have been hit by hackers so far, was lucky: The site contained only such static information as press releases, job listings and city phone numbers. This time around, the hacker attacks amounted to little more than digital graffiti. The damage, in fact, was probably easier to remove than spray paint from a wall. In the era of digital government, however, network security will only increase in importance and complexity. Fresno, like nearly every state, city and county, is looking into delivering services online, from tax collection to issuing permits. It is an exciting development, but the flip side is that each new service opens a channel into government computer networks for hackers to exploit. Web-enabled government not only exposes a new Achilles heel to malicious hackers but also elevates the battle against them to a new level. To hackers, a digital government is simply a juicier target. There is more havoc to wreak by breaking in, and more notoriety to be gained. To state and local governments, credibility is on the line: The success or failure of their Web ventures will hinge on citizens' faith in their security to use them. "Every time a state or local government moves a new process into the cyber-domain, it raises vulnerability," says Steven Trevino, an executive with Infrastructure Defense Inc., a network security firm that is working with Public Technology Inc. to assess the security needs of local governments. "It's a risk-management proposition they've never had to deal with." SNIFFING OUT HACKERS The war on hackers, quite expectedly, has spawned a booming market for security software and hardware. State and local governments are installing firewalls to separate data on internal systems from what goes up on the Web. Soon after being hacked, the New York agriculture department stocked up on intrusion-detection software that can sniff out a hacker's moves before any damage is done. The scary thing, however, is that even vendors who sell the stuff admit that no amount of network protection could keep out the smartest, most dedicated hackers. Of course, one doesn't even need to be a computer geek to be a hacker these days. Anyone can learn the basics by visiting a number of Web sites that essentially teach "hacking for dummies" lessons. Even a lot of the technical work of hacking has been automated, in programs that can be downloaded off the Internet for free. In many ways, network security is a cat-and-mouse game. Nearly every piece of technology running the Internet today has a bug in it somewhere for hackers to exploit. Companies such as Microsoft are continually issuing security warnings about holes in their software, and offering "patches" that fix the problem. Of course, the bad guys pay attention to these warnings too, and use them as a road map for breaking into systems that haven't been updated. "Just buying the latest commercial products may give you a false sense of security," says Zajicek. "Unless you're continually upgrading, it's just a race between your product and the latest attack methods." While spending money on upgrading software and hardware can certainly help, that is the easy part, security experts say. The hard part is cultivating a management culture that recognizes the importance of security and the urgency of addressing security issues quickly. The political need to get more information and new services online as fast as possible often trumps the practical need to have a well-fortified site. Moreover, many state and local IT departments are chronically understaffed, already tugged in a hundred different directions. The lesson, management-wise, from a recent security incident in the city of Sunnyvale, California, is that it pays to be proactive. Back in February, at the same time that popular Web sites such as Yahoo!, eBay and CNN.com were being shut down by so-called "distributed denial of service" attacks, Sunnyvale's IT managers noticed that something funny was happening to their site, too. Traffic suddenly shot up six-fold, and engineers determined that much of the increased traffic was coming from one particular address in Virginia. They immediately took measures to block hits from that address, and the problem went away. Sunnyvale Chief Information Officer Shawn Hernandez says he's still not sure whether the incident was related to the attacks on Yahoo! and the others. And unlike those attacks, the increased traffic on Sunnyvale's site never peaked high enough to shut it down. That's all the more reason to take a proactive stance. "You have to constantly monitor your network, be familiar with the level of traffic expected, and zero in on that when it fluctuates," Hernandez says. "When you see abnormal situations, you need to investigate and jump on it immediately." HIRING WHITE HATS In that vein, security experts say that every government on the Web should be aware of what its security weaknesses are. Some have taken to hiring ethical hackers, or "white hats," who break into their systems in order to assess what holes exist. Ideally, governments should patch those holes up, or at bare minimum, monitor them closely, and should have a plan for dealing with hacker attacks when they do, inevitably, happen. Unfortunately, it is often not until a security breach occurs that a more comprehensive security plan takes shape. By then, of course, it is too late--although not too late to keep it from happening again. It took just 13 minutes last March for a hacker to break into the Web page of the Oklahoma Department of Libraries. But it took six days for the department to get the site back up. In the wake of the incident, Web development officer Michael O'Hasson performed an extensive security assessment and shared lessons from the episode at a state Web managers' meeting. The lessons read like a self-help pamphlet for techies. "Do not think that obscurity will save you," says one. "Never assume that prior security patches were done before," reads another. The other points make clear the need to have contingency plans in place, such as having a "summer home" for a Web site, an alternate place to host the site in case of emergency. In the meantime, the Oklahoma Department of Libraries--like Fresno and a lot of other state and local agencies that thought they were safe--can take comfort in the fact that this round with the hackers has really been something of an exhibition match. It's the next round, with confidential taxpayer data and credit-card numbers at stake, when the score will really count. "The break-in right now is actually good for us," says Allen Smith, the Fresno webmaster. "We don't have that stuff out there now, but we're planning on it. Actually, it's good timing, because it made us more aware of what we need to look at." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Hacking away at Government William Knowles (Jun 02)